- info@sec4good.cz
- V Olšinách 2300/75, 100 00 Praha 10
Vulnerability management (VM) should reduce risks. In reality, however, it often causes more confusion than good. Most programs are based on the output of vulnerability scanners and compliance checklists, not evidence of exploitable vulnerabilities. As a result, security teams often spend hours poring over unverified findings, dealing with false positives, and struggling to show whether their work actually made a difference.
It’s not a tool problem. It’s a process failure.
On paper, the life cycle looks simple:
Detect → Assess → Prioritize → Correct → Verify
But in the real world, it goes more like this:
Detect (too much) → Assess (manually) → Prioritize (estimate) → Correct (maybe) → Verify (maybe sometimes… or never)
Vulnerability detection often takes days and is done through isolated tools, with prioritisation being reactive and based on CVSS scores rather than actual risk. Issues found often lack context, leading to incorrect ticketing or duplicate work. Verifying that a problem has actually been resolved is often the last thing on their minds – if it happens at all. Here’s an example of what Horizon3.ai often hears from potential customers when they talk about their vulnerability management programs:
“We had over 9,000 vulnerabilities identified. Our team couldn’t distinguish which were real, let alone which were important.”
– Head of Security Operations, Defence Industry
“Verification for larger issues often takes days. In the meantime, the team moves on.”
– Safety Engineer, Construction Company
When no one can prove what is exploitable to a successful attack, or what has actually been fixed, they often ask the same questions: are we safe? How do we know?
NodeZero doesn’t simulate risk, it proves it. Instead of guessing which CVEs are important, it performs real attacks in internal, external, cloud and identity management environments. If NodeZero discovers a weakness, it’s because it was able to not only detect it, but more importantly, fully exploit it.
This gives security teams what they really need: real attack paths instead of hypothetical risks, proof of impact instead of probabilistic scores, and fixes that have been verified, not just marked as “closed”. This visibility allows teams to properly prioritize work, confirm completion, and demonstrate real risk reduction over the long term.
The Horizon3.ai Vulnerability Management Hub translates all NodeZero findings into clear and trackable action steps. It’s not just another vulnerability dashboard, but a management hub for validated risks – designed for problem solvers, not just auditors.
Findings from NodeZero are centralised, duplicates are removed and information on abuse opportunities, authorisation levels and business impacts are added. With status tracking, teams can quickly see what is still active, what has been resolved and what has resurfaced. The system allows you to set statuses such as Fixed, Risk Accepted and Taken Alternative Action, providing the necessary audit trail to ensure accountability.
1-Click Verify (1CV) allows teams to instantly retest fixes without waiting for another penetration testing cycle. Whether run individually or in bulk, verification becomes a quick and seamless step in the remediation process. With the planned integration with Jira and ServiceNow, patch tracking and verification will no longer operate separately – they will be directly integrated into existing troubleshooting processes.
“With 1-Click Verify, I can quickly verify our corrective actions and save countless hours.”
– Director of Information Security, University of the USA
Traditional vulnerability management tools show what is likely to be vulnerable. NodeZero reveals exactly what could be achieved and what attackers could exploit right now.
“We spent weeks fixing problems that our scanner had flagged as ‘critical’, only to find out later that they couldn’t be exploited. Meanwhile, the real weaknesses remained unfixed.”
– IT Risk Analyst, Global Supplier to the Aerospace Industry
Repeated testing in real time reduces exposure time and MTTR. Verifying that a fix is deployed doesn’t take days or weeks because it’s on-demand. Weaknesses are scored based on actual impact, so teams focus on what matters. And because each fix is linked to a realistic path of attack, reporting risks toward management is not only easier, but also more credible.
The Hub was designed primarily for day-to-day remediation work, not just for reporting. It allows teams to verify findings in bulk, remove outdated data, and get credit for fixes that previously went unverified. Smart filtering highlights the most significant risks, while notes and status flags help document decisions and simplify audits. With a complete history of weaknesses across asets, test campaigns and environments, teams finally get the visibility they need to act with confidence.
“We used to spend our days preparing for vulnerability reviews. Now we simply open the Hub.”
– CISO, a large healthcare organisation
From the moment a problem is found until it is resolved, NodeZero gives teams control over the entire vulnerability lifecycle with real, measurable results that can be documented.
Most vulnerability management programs overwhelm security teams with a plethora of problems and leave them guessing what to fix first. NodeZero reverses this pattern. Teams start with evidence, prioritize fixes based on actual impact, and conclude the process with validation. In this way, risk is actually reduced and the work done can be documented.
The Vulnerability Management Hub is just the beginning. Validating exploitability, assessing impact and verifying fixes in real time forms the basis for a more advanced, outcome-based approach to risk management.
Horizon3.ai’s CEO, Snehal Antani, recently introduced a new vulnerability management model – a model built not on assumptions or static scores, but on evidence. In this next phase, risk will be measured across multiple dimensions:
Today, the Hub provides many of these features and serves as the foundation for what comes next – a complete, evidence-based understanding of the safety state that is continually tested, measured and refined.
You’ll see how quickly you can go from a messy situation to being in control. Start with proven weaknesses. Fix what actually makes sense. Verify the outcome.
Derived from a post by Stephen Gates of Horizon3.ai
